diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 15c6479d..cbb18023 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -476,7 +476,7 @@
     pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
     init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
     landscape-sysin, nessusd, PM2, syslog-summary, erl_child_setup,
-    npm, cloud-init, toybox, ceph
+    npm, cloud-init, toybox, ceph, hhvm
     ]
 
 - rule: Run shell untrusted
@@ -591,7 +591,7 @@
     and not proc.pname in (shell_binaries, make_binaries, docker_binaries, k8s_binaries, package_mgmt_binaries,
                            lxd_binaries, mesos_slave_binaries, aide_wrapper_binaries, nids_binaries,
                            monitoring_binaries, gitlab_binaries, initdb, pg_ctl, awk, falco, cron,
-                           erl_child_setup, ceph, PM2, pycompile, py3compile)
+                           erl_child_setup, ceph, PM2, pycompile, py3compile, hhvm)
     and not trusted_containers
     and not shell_spawning_containers
     and not proc.cmdline in (known_container_shell_spawn_cmdlines)